sudo -- arbitrary command execution

Details

VuXML ID

1b725079-9ef6-11da-b410-000e0c2e438a

Discovery

2005-10-25

Entry

2006-02-16

Tavis Ormandy reports:

The bash shell uses the value of the PS4 environment
variable (after expansion) as a prefix for commands run
in execution trace mode. Execution trace mode (xtrace) is
normally set via bash's -x command line option or
interactively by running "set -o xtrace". However, it may
also be enabled by placing the string "xtrace" in the
SHELLOPTS environment variable before bash is started.

A malicious user with sudo access to a shell script that
uses bash can use this feature to run arbitrary commands
for each line of the script.